Re: [PATCH] audit: don't attempt to lookup PIDs when changing PID filtering audit rules
On Mon, 2014-12-15 at 16:14 -0500, Steve Grubb wrote:
We don't want any events from within a container unless we also
have an audit name space. Everything inside the container is potentially
operating out side the security policy of the system.
I am not arguing with any of the substance/meaning of what you intend in
any way.
However, every time someone uses the word 'container' they are severely
mis-characterizing the problem space. There are no containers. It's even
worse to say 'container' than it is to say 'the path.' Containers are a
userspace construct made out of numerous disjoint kernel primitives
(mainly the numerous namespaces). The kernel does not, can not, and will
not every know about a 'container.'
This MUST be a key concept when we think about how to make audit work in
a world where people want to use kernel namespaces.